RSA Admin

Import This Malicious User-Agent String Feed

Discussion created by RSA Admin Employee on Jan 10, 2014
Latest reply on Jun 16, 2014 by RSA Admin

Hello all,


One of the most powerful features of Security Analytics is the ability to create feeds on the fly using the feed creation wizard.


Feeds can be comprised of any values in any meta key.  The most common use cases are feeds of malicious IP addresses and Hostname Aliases.  However, for this exercise, the RSA FirstWatch Team wants to share its long list of known malware and malicious UserAgent strings.  We use this feed internally to identify known malware agents on our own network, and as we discover new malicious User-Agent strings, we will add to this feed as time moves along.


Step 1:  Preparation.

In order to take advantage of feeds, you should turn indexing on (IndexValues) for, feed.category and feed.desc on your concentrators and brokers that will communicate with your capture decoders.  This often requires a service restart, so you may need to schedule momentary downtime to get this working properly.  The feeds will still work without indexing your values, but any queries against the keys, and any reports that try to take advantage of the new data will be slow to respond to queries.


Step 2.  Grab the CSV file.

The CSV file for the feed is attached to the bottom of this post.


Step 3.  Run the Wizard.

In Security Analytics, go to Live -> Feeds.


On the next screen, click the big Plus button in the upper right to add a new feed.  You will be prompted with a radio button selection.  Choose Custom Feed.


Step 4.  Program Your Feed

Now you will follow these screen shots to ensure your feed works. 

Make sure you are selecting an Adhoc feed.  This means it is a one-time installation that can be updated periodically if you need to.  Then click Next.




Now you will select which of your decoders are going to house the feed.  In my example, my sandbox decoders are selected.  Click Next.



Here is the real configuration screen.  Since this is not IP related, choose the Non IP radio button.  My CSV is meant to contain all of the malicious user-agent strings in column 1 as my values.  So select to index column 1.


Since this is all related to HTTP traffic, I've chosen to select service type 80.


The callback key is the key that is normally populated with the values I want to be on the lookout for.  In this case, User-Agent strings populate the client key.  So I select the client key for Callback Keys.


When you choose to index column 1, it gets grayed out.  Now you need to set the column headers for column 2,3 and 4.  In this case, you want to select as column 2, feed.category as column 3, and feed.desc in column 4.


If your screen looks just like below, hit Next.



The next screen is a review screen.  Hit Finish and you are done!




Step 5:  Look for Results

So what does it look like when you get results?  Keep in mind that these UA strings are all related to malware communications.  Hopefully you won't see too much, but if you do, you may wish to investigate.  You could even create daily alerts and reports to monitor for the presence of these know bad UA strings.  But in our malware only environment, it looks like this.  If you see similar results, you are likely in big trouble.



It should be noted here that we are confident that this simple feed works to identify malicious activity.  I simply drilled into the feed name of malicious ua string, and you can read the feed descriptions for the past 5 days.  Also note that there are scores of third party feeds that are in agreement that the observed traffic is associated with malware-  with iDefense Reputation being the most prevalent, even above FirstWatch.  (FirstWatch usually only looks for things that aren't already identified by someone else.)


Step 6:  Updating Your Feed:

To update your feed, simply go back to live and feeds, select your feed and click the edit button.Under step 4 above, you will see a link to download your feed.  It will download as a CSV file for easy local editing.  And if you want to change the categories and descriptions we've put in place, feel free to do so.  When you finish editing your feed, use the wizard to upload it again.  You will not have to change any of the configuration parameters.


Good luck and happy hunting!